Skip to main content

Documentation Index

Fetch the complete documentation index at: https://qwady.wiki/llms.txt

Use this file to discover all available pages before exploring further.

IP whitelisting allows enterprise users to restrict which client IP addresses can access their ThornGuard proxy. This is Step 3 in the security pipeline, checked immediately after authentication.
IP whitelisting is an Enterprise-only feature. Individual plan users have unrestricted IP access.

How It Works

  1. Enterprise users configure an IP whitelist via the Settings page.
  2. The whitelist is stored in the license_settings table as a JSON array.
  3. On each request, ThornGuard checks the client’s IP (from the CF-Connecting-IP header) against the whitelist.
  4. If the whitelist is empty, all IPs are allowed (default behavior).
  5. If the whitelist is non-empty, only listed IPs are permitted — all others are blocked.

Configuration

Add IP addresses from the ThornGuard dashboard Settings page. Supported formats:
  • Single IP entries: 203.0.113.10
  • IPv4 CIDR notation: 198.51.100.0/24

Example Whitelist

["203.0.113.10", "198.51.100.0/24"]

Blocked Requests

When a request is blocked by IP whitelisting:
  • The proxy returns an HTTP 403 Forbidden response.
  • A BLOCKED_IP_WHITELIST action is logged in your audit trail.
  • The details field includes the blocked client IP.
{
  "error": "ThornGuard Security: IP not authorized."
}
Be careful when configuring IP whitelists — locking yourself out requires contacting support or using the Wrangler CLI to update your license_settings directly.